1

Wages Protection SystemWPS Wages File Specification

Wages Protection System2

Table of Contents

1 Introduction 4

1.1 PurposE 4

1.2 Definitions & Acronyms 4

1.3 Intended Audience 6

1.4 Assumptions 6

1.5 References 6

1.6 Business Objectives 6

1.7 Wages Output File Format 8

1.8 WPS Wages output file Groups 8

1.8.1 Header Group 8

1.8.2 Header Group metadata 9

1.8.3 Content/Repeating Group 11

1.8.4 Content/Repeating Group metadata 13

2 Transfer of Wages file from Establishment(s) to Bank(s) 16

3 Transfer of Wages output file from Bank(s) to Establishment(s) 16

3.1 Current process of wages output files by Bank(s) 16

3.2 Expected process of wages output file by Bank(s) 16

3.3 Signing of Processed Wages file by Bank 17

3.3.1 WPS Recommendations about Digital Signature 17

3.3.2 Purchase Digital Certificate from Certificate Authority 17

3.3.3 Digital Certificate 17

3.3.4 Steps to Append Digital Signature to Wage File 18

3.4 Communicating the output file back to Establishment 19

3.5 Validating Digital Signatures by WPS 204 Encryption Risk Assessment (Exchanging the File between Establishments and Banks)

20

4.1 Risk involved in not encrypting the WPS wages file/data 20

5 Appendix 20

5.1 Transaction Failure Reason Table 21

5.2 SARIE Bank IDs 21

5.3 File Rejection Codes 22

Wages Protection System3

Table of Figures

Figure 1 Bank Process 7

Figure 2 Wage output file format 8

Figure 3 Header Group 9

Figure 4 Content Group 12

Figure 5 Content/Repeating Group (Wages file before processing by Bank) 17

Figure 6 Content/Repeating Group (Wages file after processed (by Bank(s)) 17

Figure 7 Digital Signature tool GUI 19

Figure 8 Selection option to append DS to multiple files 20

Figure 9 Digitally Signed files with Timestamp 21

Figure 10 Output signed files in the output folder

Wages Protection System4

1 Introduction

1.1 Purpose

This document specifies the technical specifications of WPS Wages output file format that processed by banks for crediting wages to Employees. Banks are expected to receive this wages file, or a payroll file which is sent by, or on behalf of, the Establishment of the Beneficiary customer (Employee), to the Establishment›s Bank. It is used to convey a set of funds transfer instructions to the Establishment›s Bank to pay specified amounts to the bank accounts of individual Employees whether the Employee›s account is with the same bank or with another bank in Saudi Arabia and to debit the total amount to the bank account of the Establishment in the books of the Establishmen’s Bank.WPS Wages Payment Message File will be referenced as Wages File rest of the documents.

1.2 Definitions & Acronyms

Any terms or acronyms used within this document have to be defined in this section.

Term\Acron Definition

WPS Wages Protection System

MoL Ministry of Labor

Establishment Enterprises or Employers those are registered with MoL and has a valid MoL unified Number

MoL Establishment ID This is MoL unique ID that used to identify establishment in MoL database.

Bank Banks that are operated under guidelines of SAMA

Employee/LaborerA person (has a valid ID or IQAMA, and in case of Expat he has to have a valid MoL work permits) to whom Establishment pays wage.

CA Certificate Authority (Provides Digital Signatures)

VeriSign Digital Certificate Vendor

Trusted partiesIn cryptography, a trusted third party (TTP) is an entity which facilitates interactions between two parties who both trust the third party

Public KeyA value provided by some designated authority as an encryption key that, combined with a private key

Private Key An encryption/decryption key known only to the party or parties that exchange secret messages

Other earningsAll the earnings which are other than basic pay and Housing will be considered as other earning. For example Transportation allowances, Incentives, Bonus, reimbursement, leave encashment etc.

DeductionsAll the Deduction which are made for a particular month salary are considered as deductions, For example GOSI (9% for Saudi or for 2% Expat. ), loss of pay, deduction for disciplinary action, IQAMA charges deduction, Loans from enterprise, monthly subscription, Insurance upgrade etc.

Total Amount Sum of all amounts of all transactions

CD Compact Disk

CSV Comma separated value file is one of the delimiter used in the text file to separate the value

CryptographyCryptography is the practice and study of techniques for secure communication in the presence of third parties

Wages Protection System5

Term\Acron Definition

EncryptionIn cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.

SSLSecure Sockets Layer, are cryptographic protocols that provide communication security over the Internet.

Rijndael CryptographyRijndael Cryptography is an Advanced Encryption Standard (AES) specification for the encryption of electronic data

RC4In cryptography, RC4 (also known as ARC4 or ARCFOUR meaning Alleged RC4) is the most widely used software stream cipher and is used in popular protocols such as Secure Sockets Layer (SSL) (to protect Internet traffic) and WEP (to secure wireless networks).

AlgorithmIn mathematics and computer science is a step-by-step procedure for calculations. Algorithms are used for calculation, data processing, and automated reasoning.

DES(124K) Data Encryption Standard

Saudi Identification National ID

Expat Identification Iqama Number

Digital CertificateA public key certificate is an electronic document which uses a digital signature to bind a public key with an identity

Payment descriptionA message between the sender (Establishment) to the receiver (bank), that is typically a description for the main transaction eg:(July Salary).

Text fileA text file with an extension of CSV where values in the file are delimited by TAB (‘ ’)

SARIE Saudi Arabian Interbank Express

SWIFTThe Society for Worldwide Interbank Financial Telecommunication (SWIFT) provides a network that enables financial institutions worldwide to send and receive information about financial transactions in a secure, standardized and reliable environment

Input RequirementSpecifies whether a Field is Mandatory (must be present in the message and cannot be blank) or Optional (can be used in the message in the WPS Payment Message File if required but can be skipped if not necessary for a particular message). The contents of this column are

M Mandatory,

O Optional

Field Tag

This is the label which must appear at the start of the Field. The Field Tag must always be enclosed in square brackets e.g. [32A AMT]. Square brackets must not be used anywhere else in the Field Contents. These Field Tags are used later in this document to link the Field Specifications, Field Description & Usage Rules, General Usage Rules, File Rejection Codes and Return Codes

Field Name

This is a short description of the contents of the individual Field which is used to give a brief explanation of the contents that should appear in this Field. The Field Name does not appear in the WPS Payment Message File, the Field Tag is sufficient to clearly identify the particular field which follows. More detailed description of the data to be included in each Field is given in the section headed Field Description & Usage Rules. The section below headed Field Usage provides further information on the usage rules for each field.

Format

This column is used to provide the formatting rules for each individual Field. The conventions used within this column are set out in the section below headed Format Conventions. This will show the type of characters that are permitted within the Field and whether the Field has a Fixed length, a Minimum or Maximum length and what types of characters can be used in the Field.

M Mandatory field

O Optional Field

Wages Protection System6

Repeating Group Shows the group of Fields which can be repeated within a WPS Payment Message File

Header GroupShows the group of Fields which will appear only once in a WPS Payment Message File to be transmitted from the Employer to the Employer's Bank

Table 1 Definitions and Acronyms

1.3 Intended Audience

Intended audiences for WPS Wages Output File Specification document are:• TechnicalteamsofBanks• TechnicalteamofEstablishments.• TechnicalTeamofSAMA• Technical/BusinessteamfromMoL

1.4 Assumptions

1. All fields with the Field Tag [MOL-XXX] are intended for the use of the Ministry of Labor only in the Wages Protection System (WPS). These fields will not be used or validated by the Establishment’s Bank. The contents of these fields will be relayed unchanged back to the Establishment by the Establishment’s Bank.2. Wages File should be of file type txt and values are delimited by TAB (“ “).3. Each Wages File prepared should be in only one language (English or Arabic). Combination of languages is not allowed within a single field.4. The accounts of the Establishments should be in WPS-certified banks.

1.5 References

References

Minutes of Meeting with SAMA & other stakeholders.

WPS Payment Message File - Payment fields formats - VER 1 2 by SAMA

Banks workshops

1.6 Business Objectives

1. The objective of Wages File specification document is to provide the technical details of each field of wages output file, data types, Mandatory or Optional information of field, usage rules and what information should the bank(s) append to the wages file after processing the same, how to certify the Wages File after processing the wages file transaction and send back to establishments. 2. Establishments will prepare their Wages File based on the agreement between the bank and establishment with minimum WPS required fields. , and send it to the banks for processing wages. Establishments should use their common practice while transferring wages file to banks.3. The output file from banks to establishment should be complied with WPS file specifications.4. Establishments should take care and make sure that Wages file prepared by Establishments should be in one language in a single field (either in English or Arabic).5. The currency of wages file should be only in Saudi Arabian Riyal (SAR). 6. Banks should process the Wages File, and prepare an output file for WPS to include the following MoL requested information on the file:

Wages Protection System7

a. Transaction Reference b. Failure Reason (if applicable) c. Transaction Status (Success / Failed) d. Transaction Date e. File Rejection Code (if applicable)

7. After preparing the output Wages File, the banks should digitally sign the File, in order to let WPS identify that the file that was processed by bank and was not modified.8. After digitally signing the file, the bank should return the Output File to the establishment as agreed (using their common communication practice) by banks.9. The output File will be uploaded to WPS by establishments/Establishment as per agreed with MoL.

Start

Wages File or Payroll file

Bank

WPS

Establishment

WPS output file

End

WPS output File

Establishment prepare the wages file and send to bank(Recommended to use secure channel)

2

2

Banks process and certify the wages file as per WPS requirement and send back establishment(Recommended to use secure channel)

3

3

Establishment upload the wages file received in step 2 from banks to WPS

Out of WPS Scope

In WPS Scope

1

1

Figure 1 Bank Process

Wages Protection System8

1.7 Wages Output File Format

1. This section describes proposed Wages File format during the Banks workshop held on 14th May 2012.2. Proposed output file type should be always txt file (CSV) type. Values in the file are separated by delimiter TAB (‘ ’). “-“at begin of the line will be considered as end of file data. 3. The frequency of generating the Wages file is determined by Establishments. The output file will be generated by the Establishment’s bank 5 business days after value date (T+5). 4. WPS is targeted to Employees (individuals) who are on work permits or registered in MoL via GOSI (National and Expats). Individuals on business visa are not considered.5 The currency of wages file should be only in Saudi Arabian Riyal (SAR).6. Wages output file should consist of two groups of fields as below: i. Header Group ii. Content/Repeating Group

Figure 2 Wage output file format

1.8 WPS Wages output file Groups

The following section describes the proposed Wages output File in detail.

1.8.1 Header Group

The Header Group should be located at the top/beginning of the Wages output File and should exist only once in Wages output File. Header section fields are used to provide summary/control information for each particular Wages output File and details about the establishments requesting the bank to process the Wages File.

Header Group consists of the following fields of information about establishments

• DEST-ID] - Establishment’s Bank,• [ESTB-ID] - Establishment’s ID,• [BANK-ACC] - Establishment’s Banks Account Number,• [32A-CCY] - Currency Code, • [32A-VAL] - Value Date,• [32A-AMT] - Total Amount,• [D-DATE] - Debit Date,• [FILE-REF] - File Reference,• [FILE-REJCDE] - File Rejection Code,• [MOL-ESTBID] - MoL Establishment ID

The header section should look as follows:

Wages Protection System9

Figure 3 Header Group1

1.8.2 Header Group metadata

This section describes the fields of the Header group and format, field requirement, Field Tag and field name, description and usage rules.

The below table provides WPS Wages file Header group field specification

Header Group

Input Requirement

Input By Field Tag Field Name Format Required by

M Establishment [DEST-ID] Establishment's Bank 4!A SAMA/ Bank

M Establishment [ESTB-ID] Establishment's ID 10d Bank

M Establishment [BANK-ACC]Establishment 's bank account

number24!X SAMA/ Bank

M Establishment [32A-CCY] Currency Code 3!A SAMA/ Bank

M Establishment [32A-VAL] Value Date 8!d SAMA/ Bank

M Establishment [32A-AMT] Total Amount 15d SAMA/ Bank

O Establishment [D-DATE] Debit Date 8!d SAMA/ Bank

M Establishment [FILE-REF] File Reference 16x SAMA/ Bank

Reserved for Bank use only

Banks [FILE-REJCDE] File Rejection Code 6!A SAMA/ Bank

M Establishment [MOL-ESTBID] MoL Establishment ID 2d-15d MoL

Table 2 Group Header Fields

The below table provides WPS Wages file header group Field Description & Usage Rules

Field Tag Description and Usage Rules

Header GroupThis section fields provides the summary information about establishments and details of establishment relationship with Banks. This group of fields must appear only once in a WPS Wage Payment Message File.

[DEST-ID]

This is the ID of the bank to whom the WPS Wage Payment Message File is being sent. This will always be the bank where the Establishment maintains his bank account from which his employees› wages are to be disbursed.The contents of the field will be the SARIE ID code for the bank.

Refer to the table 7 below entitled «SARIE Bank IDs» for the full list of Bank IDs.

[ESTB-ID]ID of the Establishment registered with bank. Banks can continue using their current standards.

[BANK-ACC]This is the bank account number of the Establishment from which full amount will be debited of the WPS Wages Payment Message File as stated in field [32-AMT].

Wages Protection System10

[32A-CCY]This field specifies the Currency used for transactions of WPS Wages Payment Message File. The currency of wages file should be only in Saudi Arabian Riyal (SAR).

[32A-VAL]This is the date that the funds are to be paid to the Beneficiary.The date contained in this field must not be earlier than the sending date. The Proposed format of data is YYYYMMDD either Hijri or Gregorian

[32A-AMT]

This is the total amount of all of the individual transactions appearing in the Repeating Group fields of the same WPS Payment Message File.This must be equal to the sum of the individual transaction amount fields [32B-AMT] in the Repeating Group.The receiving bank will validate that the correct total amount appears in this field.If the WPS Payment Message File fails this validation check, the file will be rejected by the Establishment›s Bank without further processing and the rejection advised to the Establishment.The Establishment must then correct the error and resend the full WPS Payment Message File to the Bank.

[D-DATE]

This is an optional field.This is the date on which the Establishment is asking the Bank to debit the Establishment›s account.If the field is present, the date specified must be a) Not earlier than the sending date, and, b) Not later than the Value Date in field [32A-VAL]If the field is not present, the Bank›s standard arrangement, or, the specific arrangement with the Establishment, will be used to decide on the date for debiting the Establishment›s account.The Proposed format of data is YYYYMMDD either Hijri or Gregorian

[FILE-REF]

This field should be used for the Establishment›s Reference for the full message. The reference used must be unique for the Establishment i.e. the same reference must not be used in more than one WPS Payment Message File regardless of the date of sending.A duplicate File Reference will cause the entire WPS Payment Message File to be rejected by the Establishment›s Bank.The contents of this field will be used by the Establishment›s Bank for the following purposes:1. It will appear on the Establishment›s bank statement as the reference for the debit to his account

2. It will be used by the Bank in all communications with the Establishment in relation to the particular WPS Wages Payment Message File.

[FILE-REJCDE]

This field is reserved for Bank use only.The list of codes to be used by Banks to indicate to the Establishment why the WPS Payment Message File has been rejected is set out in the table 8 below entitled «File Rejection Codes».

[MOL-ESTBID]The number used to identify establishments in MOL, it is a combination of labor office that the establishment belong to and a sequential number (Labor Office – Sequential Number)

Table 3 Header Group Usage Rules

1.8.3 Content/Repeating Group

The Content/Repeating Group should exist after the header group. Content group consists of a group of fields that are used to provide data for the individual transactions within the Wages File,

Wages Protection System11

multiple rows of wages/transactions data. This information should be filled by the Establishment and processed by its bank. Each row in content group describes one unique transaction to be processed by banks. The content group fields will contain three subsets of Fields

(i) Those fields specifically required to enable the Establishment›s Bank to effect the individual payment transactions.(ii) Those fields which are required specifically by the Ministry of Labor in connection with the Wages Protection System.(iii) Those fields which are to be updated by Banks after execution of the individual payment transaction.

Content group consists of following information for transaction. • [32B-AMT] - Net amount to be paid to the individual Employee • [59-ACC] - Beneficiary›s account number, • [59-NAME] - Beneficiary customer’s name,• [57-BANK] - Bank Code where the Beneficiary’s account is held• [70-DET] - Payment Description, • [RET-CODE] - Return Code, • [MOL-BAS] - Employee Basic Salary for the current month,• [MOL-HAL] - Employee Housing Allowance for the current month,• [MOL-OEA] - Employee Other Earnings for the current month, • [MOL-DED] - Employee Deductions for the current month,• [MOL-ID] - Employee (Government) ID • [TRN-REF] - Transaction Reference number• [TRN-STATUS] – Status of individual transaction • [TRN-DATE] – Transaction Date

The Content/Repeating Group should look like as follows:

Figure 4 Content Group

1.8.4 Content/Repeating Group metadata

This section describes the fields of the Content/Repeating group and format, field requirement, Field Tag and field name, description and usage rules.

The below table provides WPS Wages output file content group field specification

Wages Protection System12

Header Group

Input Requirement for Establishments

Input Requirement

for BanksInput By Field Tag Field Name Format Required by

M M Establishment [32B-AMT]

Net amount to be paid to the individual

Employee

15d SAMA/MoL/Banks

M M Establishment [59-ACC]Beneficiary's

account number

34X SAMA/MoL/ Banks

M M Establishment [59-NAME]Beneficiary customer's

name4*35z SAMA/ Banks

M M Establishment [57-BANK]

Bank’s Code where the

Beneficiary's account is held

4*35x SAMA/ Banks

O O Establishment [70-DET]Payment

Description4*35z SAMA/ Banks

N/AReserved for

Bank use onlyBANK [RET-CODE] Return Code 6!A MoL

M O Establishment [MOL-BAS]

Beneficiary’s Basic Salary

for the current Month

12d MoL

M O Establishment [MOL-HAL]

Beneficiary’s Housing

Allowance for the current

Month

12d MoL

M O Establishment [MOL-OEA]

Beneficiary’s Other Earnings for the current

Month

12d MoL

M O Establishment [MOL-DED] Deductions 12d MoL

M M Establishment [MOL-ID] Beneficiary's ID 10d MoL

N/A M BANK [TRN-REF]Transaction Reference

number16x MoL

N/A M BANK[TRN-

STATUS]

Status of individual

transaction8a MoL

N/A M BANK [TRN-DATE]Transaction

executed Date8d MoL

Table 4 Content/Repeating Group Fields

Wages Protection System13

The below table provides content group of Wages output File Field Description & Usage Rules

Field Tag Description and Usage Rules

Content /Repeating Group

This group of fields provides the summary information for each transaction to be processed by Banks. Each row is single unique transaction. Also provides the information about the employee wages details like Basic, Housing Allowance, Other Earnings and Deductions.This group of field contains the Transaction details information to be updated by Banks.This group of fields can appear one or more times in a WPS Wages output file. .

[32B-AMT]

This is the amount of the individual transaction i.e. this will be the Net Salary to be paid to the Beneficiary (Employee).This is equal to the Sum of ([MOL_BAS]+[MOL-HAL] + [MOL-OEA] - [MOL-DED]). Banks are not expected to validate this data.The total of all of the individual [32B-AMT] amounts must be equal to the amount appearing in field [32A-AMT] in the Header Group of fields.Valid Format is 1234567890123,12

[59 - ACC]

Employee account number or Prepaid Record Number registered with Bank.• IBAN – 24 digit for local banks, 34 for International banks • Prepaid Record Number -20 digits This field must contain the account number of the Beneficiary. This number will be used by the Beneficiary›s Bank to credit the funds. It should be the correct bank account number for the Beneficiary named in field [59-NAM]. This account number must be in either IBAN or PRN format as follows:• IBAN - this must be a valid IBAN for the Beneficiary. The Establishment must perform an IBAN validation on the contents of this field. The rules for IBAN validation can be obtained from the Establishment›s Bank. The IBAN has a fixed length of 24 English only alphanumeric characters for local banks, and 34 for International banks. All alphabetic characters must be in upper case only. An IBAN account may be maintained with the same bank as the Establishment›s Bank or with another Bank in Saudi Arabia.•If the Employee›s salary is to be paid into a prepaid account type, then the Prepaid Record Number (PRN) must appear in this field. The PRN for the Beneficiary must be with the same bank as stated in field [DEST-ID].

[59 - NAME]

Name of the Employee registered with Bank(s).This field must contain the name (and address) of the Beneficiary who is due to receive the amount specified in field [32B-AMT].It must contain sufficient information to clearly identify the Beneficiary.

[57 - BANK]

This is an optional field. If the account number in field [59-ACC] is maintained by the same bank as the Establishment’s Bank, then this field is not required. If the IBAN account of the Beneficiary is maintained by another bank in Saudi Arabia then this field must contain the SARIE ID of the Beneficiary’s Bank. Refer to the table below entitled «SARIE Bank IDs» for the full list of Saudi Bank IDs.If the Beneficiary’s account is maintained with a Foreign Bank then the SWIFT Bank Identifier Code (BIC) of the foreign bank must be stated in this field. The correct SWIFT BIC should be obtained from the Beneficiary. The format is alphanumeric characters up to a maximum of 11, all of which must be upper case English characters only. Alternatively the Name of the Foreign Bank and Branch should be stated in this field, in this case the maximum field length is 4*35 alphanumeric English characters.

[70-DET]The Establishment may provide a short description of the payment that will enable the Beneficiary to identify the reason for the payment.E.G. ‹Salary›, ‹Expenses›, ‹Refund of xyz› etc.

Wages Protection System14

[RET-CODE]

This field is reserved for Bank use only.The list of codes to be used by Banks to indicate to the Establishment why the individual transaction has been rejected or returned are set out in the table below entitled «Return Codes».If one or more individual transactions are returned, the Establishment›s Bank will debit the Establishment›s account with the full amount of the WPS Payment Message File in field [32A-AMT] and separately credit the same account for each of the individual items returned. (Please refer to sub-section 6.2 below)

[MOL-BAS]Employee Basic wage for the current month. Proposed Valid format is 1234567890,00

[MOL-HAL]Employee Housing allowance for the current month.Proposed Valid format is 1234567890,99

[MOL-OEA]Employee Other Earnings of the current month.Proposed Valid format is 1234567890,99

[MOL-DED]Employee Deductions of the current month.Proposed Valid format is 1234567890,99

[MOL-ID]National ID or IQAMA no of Employee.For Saudi’s – Saudi ID ( 1*********) for Expat’s - IQAMA (2*********)

[TRN-REF] Unique number generated by bank for each transaction execution.

[TRN-STATUS]If transaction is failed, reason stating the same. Confirming is Transaction is successful or failureProposed Valid Values are : Success or Fail

[TRN-DATE]Date the transaction happened in bankProposed Format is YYYYMMDD

Table 5 Content Group Fields Usage Rules

2 Transfer of Wages file from Establishment(s) to Bank(s)

(Not related to WPS proposed process, out of scope for WPS) 1. Current Wages file transfer process: 2. Some of the establishments encrypt the monthly wages file by the following methods:a. Few banks are using Rijndael Cryptographyb. Few bank are using SSL encryptionc. Few banks receives encrypted file in RC4 algorithmd. Few establishments uses DES(124K) encryption3. Establishments transfer the encrypted wages file (as defined above) to Banks through the below mentioned modes of transfers only. There is no restriction on the file name format for wages file. a. Internet banking-Establishment uploads the wages file into Banks portal. b. E-mails- Establishment sends the wages file to Bank’s designated users email id. c. CD –Establishment makes a copy of the wages file and save the same in a CD and ship it to the Banks 3 Transfer of Wages output file from Bank(s) to Establishment(s)

Wages Protection System15

3.1 Current process of wages output files by Bank(s)

(Not related to WPS proposed process, out of scope for WPS) 1. Some (or most) of the banks receive the wages file encrypted from establishments.2. In cases where files are encrypted, Banks decrypts and do the preliminary check (then verify “the total amount of summary section should be less than the amount in the establishments debit account”) before proceeding further.3. After processing the wages file, banks send the following: a. WPS wage output file b. Exception-reports, if any. Exception might have occurred in case of inability to execute all/ part of the transaction file because of establishment account issues.

3.2 Expected process of wages output file by Bank(s)

In the current process WPS is expecting the following information (highlighted in yellow in color) to be updated by banks to the Wages File for each transaction in the content group.

Figure 5 Content/Repeating Group of fields

• Transaction Reference [TRN-REF]• Failure Reason [RET-CODE] (if applicable) • Transaction Status [TRN-STATUS]• Transaction Date [TRN-DATE].• File Rejection Code [File-REJCDE] (if applicable)

• BeforestartofthewagesfileprocessingbankscouldviewWagesFileas

Figure 5 Content/Repeating Group (Wages file before processing by Bank)

• AftertheprocessingofWagesfilebybank,theWagesfileshouldlooklikeasbelow:

Figure 6 Content/Repeating Group (Wages file after processed (by Bank(s))

3.3 Signing of Processed Wages file by Bank

• Banksappenddigitalsignatureonthemonthly/settlementWagesFileafterprocessing the file.• Fileformatisantextformat

The following are the steps for banks add digital signature to wages file:

Wages Protection System16

3.3.1 WPS Recommendations about Digital Signature

1. Not to Include Digital time stamp within signature.2. Complete signature should be in one liner.3. “–“should be end of file and it shouldn’t be considered during the signature generation.4. Algorithm for creating the digital signature should be“SHA1withRSA”.5. All banks should use the same mechanism to create signature and appending it in data file.6. Using the UTF-8 encoding for the output file. 7. Validation of Digital Certificate with respect to Root Certificate.

3.3.2 Purchase Digital Certificate from Certificate Authority

1. Banks to purchase digital certificate from VeriSign.2. VeriSign provides the following PKI a. Private Key to the banks, b. Public key is shared with any trusted party (MoL-WPS) and is saved in WPS Database. 3. Bankers use this above purchased certificate from Certificate Authority (CA) to digitally sign the wage output file.

3.3.3 Digital Certificate

1. To certify (digitally sign) the Wages file, using the above purchased certificate, Banks should use any third party tools of their choice (refer to section 3.3.4) 2. The objective of adding Digital Signature is to ensure: a. Authenticity – to verify the source of the signatureb. Integrity - Wages file sent by banks to establishment have not been altered after it was signed(Proof of content)c. The signed party’s certificate is checked for revocation status.

3.3.4 Steps to Append Digital Signature to Wage File

The following steps are for illustration purposes only. Banks can use the attached source (After SAMA Approval) code to generate the Digitally Signed Processed Wages files.

DigiSign.java.zip

For creation of signature• GettingtheprivatekeyandpublickeyfromtheCertificateAuthority(CA)• CreatingthesignaturewithSHA1withRSA• Readingthefile• Verifyingthefileisalreadysignedornot• Ifsigned,retuningalreadysignedmessage

Wages Protection System17

• Ifnotsigned,goto“-“• Createthebase64usingbase64encoder.encodemethodinjava• UseBase64bitforthedigitalsignatureformat,andreplacealllineseparatorswith“”• Thenwritethebytesinfile.• Flushandclosethefile

Note: Attached are the sample files generated from the source code and respective certificate for verification. These below sample files are only for reference not for actual use.

WPS_ENG_R.TXT

3.3.4.1 Necessary purchases

Here is the list of items to be purchased by various entities:

Item Banks

Public Key from VeriSign To Buy

Private Key from VeriSign To Buy

Renewing of Public and Private Key To Buy

Technical resources involved who is responsible to install Private key in Banks machine To Buy

Certificate Revocation list To Buy(if any)

Any additional maintenance incurred towards public/private keys To Buy

API/Services N/A

Number of Certificate licenses To Buy

Digital signing tool To Buy (if not having)

Renewing of Digital Signing tool To Buy

Any additional maintenance incurred towards Digital Signing tool To Buy

Table 2 Necessary Purchases

3.4 Communicating the output file back to Establishment

As agreed by banks, banks will transfer the digitally signed wages file to establishments using their existing common practice. WPS is fine with the current options followed during the transfer of file from establishment to banks. WPS is expecting the banks to retain the Wages File for a period of 3 months.Some of the modes of transfers identified are as below:• Internetbanking-WPS is expecting the banks to retain the output file for a period of 3 months.• e-mails,• CD

Wages Protection System18

Banks must use the Minimum Security standard which is mandated by SAMA . The file must be either:A. Digitally signed file and Encrypted using Asymmetric Cryptography ORB. Digitally signed file and Conveyed via a secure (private) network link.

3.5 Validating Digital Signatures by WPS

(This is only for information) 1. Banks sends a certified (digitally signed) wage file in csv format to Establishment.2. Establishment can open the wages file.3. Establishment will get a digitally signed wages file and uploads the same into WPS4. In WPS, a service will check the digital signature in the uploaded wage file and verify/validate it against the public key of the corresponding bank, which is stored in the WPS database.a. The file is saved in WPS, after the successful validation of digital signature.b. Otherwise, the Establishment is informed of the violation, and is asked to re-send the file again, with the valid signature.

4 Encryption Risk Assessment (Exchanging the File between Establishments and Banks)

1. It is important to secure the file contents while exchanging them between the Establishments and Banks due to the sensitive nature of the data. Since there are literally thousands of establishments participating in the WPS program, any incident of breach of confidentiality might result in legal proceedings and disputes.2. To ensure success of the WPS program, it is a good practice to encrypt such sensitive data while exchanging it between the Establishments and Banks even if it is sent over secure transport. A security incident where a file falls in the hands of an unauthorized person will still be encrypted and unreadable (refer to section 3.4).

4.1 Risk involved in not encrypting the WPS wages file/data

Chances of getting sensitive and confidential data exposed to unauthorized users. Sensitive and confidential data might be salaries of employees or salaries of key employees of the establishment.

5 Appendix

Numerous third party products are available to add digital Signature to excel or text file. Secure2SignXL is one among such a third party vendor.The following attachment gives the comparison and conclusion choosing txt file over Excel.

Comparison of Excel and Txt File Types.dc

Wages Protection System19

5.1 Transaction Failure Reason Table

The following table is partial list of assumed failure reasons, codes that are generated for corresponding failure reason. This is not the final and should be updated after BANK/SAMA workshop.These codes should be used in field [RET-CDE] of the individual transaction(s) being rejected or returned.

Code Explanation

DUPREC

The content of field in the content/Repeating group is a duplicate of another individual transaction is this WPS Payment Message File.The code DUPREC must also appear in field [RET-CODE] of the other individual transaction(s) with the same transaction reference

INVLID Invalid account number for the Beneficiary

CLOSED Beneficiary’s account is closed

EXPRID The Beneficiary’s account is blocked because the account holder›s National ID or IQAMA has expired

NAMENM The name of the Beneficiary in field [-59NAM] does not match the account number in field [-59ACC]

MORERCThe individual transaction has been rejected for more than one reason. The Establishment should contact the Establishment›s Bank for more detailed information about the reasons for the rejection

Table 6 Failure Reason Table

5.2 SARIE Bank IDs

This table provides the list of valid SARIE IDs for banks who are Participants in the SARIE payments system. These IDs should be used in Field [DEST-ID] and may also be used in field [57-BANK].

Changes to this table will be advised to all stakeholders and will be published on the SAMA website www.sama.gov.sa.

SARIE ID Bank Name SARIE ID Bank Name

AAAL Saudi Hollandi Bank NBOK National Bank of Kuwait

ALBI Bank AlBilad NBPA National Bank Of Pakistan

ARNB Arab National Bank NCBK National commercial Bank

BJAZ Bank AlJazira RIBL Riyad Bank

BMUS Bank Musqut RJHI Al Rajhi Bank

BNPA BNP Paribas SABB Saudi British Bank

BSFR Banque Saudi Fransi SAMA SAMA

DEUT Deutsche Bank SAMB SAMBA Financial Group

EBIL Emirate Bank SBIN State Bank of India

GULF GULF International Bank SIBC Saudi Investment Bank

INMA Al Inma Bank TCZB T.C. Ziraat Bank

NBOB National Bank of Bahrain

Wages Protection System20

5.3 File Rejection Codes

These codes should be used in field [FILE-REJCDE] IN THE Header Group of fields when an entire WPS Payment Message File is being rejected by the Establishment›s Bank

Code Explanation

DIFFRTThe amount in field [32A-AMT] is not equal to the sum of the amounts in all of the individual transactions' field [32B-AMT]

DUPFILThe file Reference in field [FILE-REF] is a duplicate of a previously received WPS Payment Message File, or Payroll file

DUPRECThe reference used between the banks and it’s customer (Establishments) appears in more than one individual transaction in the Repeating Group of fields of input file (Payroll file) or WPS Payment Message File (if it used by the establishments).

MORERCThe WPS Payment Message File has been rejected for more than one reason. The Establishment should contact the Establishment's Bank for more detailed information about the reasons for the rejection

NAMENM The name of the Beneficiary in field [-59NAM] does not match the account number in field [-59ACC]

MORERCThe individual transaction has been rejected for more than one reason. The Establishment should contact the Establishment›s Bank for more detailed information about the reasons for the rejection

Table 8 File Rejection Codes

5.4 Format Conventions

The following conventions will apply to the contents of the column headed «Format» in the above WPS Payment Message File Field Specifications table.

Code Explanation Examples

NumberThe number which is shown first in the Format column specifies the maximum number of characters that may be used in this field

'4' = up to four characters of the type specified for this field

!The exclamation mark is used to state if a field has a Fixed length

‹6!A› = must have six characters of the type specified for this field.«6A» (i.e. ‹!› not present) = up to six characters of the type specified for this field

XAlphanumeric 0 to 9, and A to Z English version only.Alpha characters must be in upper case

Valid formats are• 46 ABC• XYZ• DEF123• 234The following formats are not valid in this field:• 46 Abc• xyz • Def123

Wages Protection System21

xAlphanumeric English version only.0 to 9, a to z, and A to ZAlpha characters may be in either upper or lower case

• ABCD5678The following formats are not valid in this field:• 456-123• Abc/xyz

AAlphabetic character English version only A to Z. All of the characters in this field must be in upper case

‹SAR› = Saudi Arabian Riyals.

NOTE: ‹Sar› or ‹sar› are not valid for in this field

a

Alphabetic character English version only A to Z and a to z. Either lower or upper case may be used in this field

Valid formats are:• xyz • Def• ABCDThe following formats are not valid in this field:• 12345• Abc3456

zAlphanumeric characters in either English or Arabic and may be in either upper or lower case.

NOTE: a mixture of Arabic and English is not permitted within the same field

d

Digits only Numeric characters 0 to 9A comma (,) is used to identify the decimal point.

Valid formats are• 23468,25• 986• 986,00The following formats are invalid in this field• 469.• 23,468,25• 1347,234

Table 9 Format Conventions